CVE-2024-30247 CRITICAL

CVE-2024-30247: Command Injection as root in NextCloudPi web panel

Vendor Nextcloud

Product nextcloudpi

Weakness CWE-78

Published March 29, 2024

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

10.0/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

NextcloudPi is a ready to use image for Virtual Machines, Raspberry Pi, Odroid HC1, Rock64 and other boards. A command injection vulnerability in NextCloudPi allows command execution as the root user via the NextCloudPi web-panel. Due to a security misconfiguration this can be used by anyone with access to NextCloudPi web-panel, no authentication is required. It is recommended that the NextCloudPi is upgraded to 1.53.1.

Key dates

02Disclosure timeline

March 29, 2024 CVE published

August 2, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-30247

Related vulnerabilities

CVE-2024-30247: Command Injection as root in NextCloudPi web panel

01Description

02Disclosure timeline

03References

04Related CVE